diff --git a/analyzer/windows/data/yara/HijackLoader.yar b/analyzer/windows/data/yara/HijackLoader.yar new file mode 100644 index 00000000000..7e74dc0cdc7 --- /dev/null +++ b/analyzer/windows/data/yara/HijackLoader.yar @@ -0,0 +1,13 @@ +rule HijackLoaderStub +{ + meta: + author = "kevoreilly" + description = "HijackLoader Stub Executable" + cape_options = "dump-limit=0,dump" + strings: + $stub1 = {50 83 C0 10 50 56 8D 85 [4] 50 E8 [4] 83 C7 30 8D 85 [4] 3B F8 74 08 8B 35 [4] EB D3} + $stub2 = {33 C5 89 45 ?? (C6 45 ?? 00|C7 45 ?? 61 7A 2D 2D) 8D 45 ?? FF 75 ?? C7 45 ?? 30 39 41 5A 50 8D 45 (??|?? C7 45 ?? 61 7A 2D 2D) 50 E8} + $app = "\\app-" wide + condition: + 2 of them +} diff --git a/analyzer/windows/modules/auxiliary/amsi.py b/analyzer/windows/modules/auxiliary/amsi.py index 05750811be8..9e20572065b 100644 --- a/analyzer/windows/modules/auxiliary/amsi.py +++ b/analyzer/windows/modules/auxiliary/amsi.py @@ -31,6 +31,7 @@ import sys import threading import uuid +from contextlib import suppress logger = logging.getLogger(__name__) @@ -1001,6 +1002,11 @@ def _unpackSimpleType(self, record, info, event_property): data = formatted_data.value # Convert the formatted data if necessary + if isinstance(data, str): + if out_type >= TDH_OUTTYPE_BYTE and out_type <= TDH_OUTTYPE_UNSIGNEDLONG: + with suppress(Exception): + data = int(data) + if out_type in TDH_CONVERTER_LOOKUP and type(data) is TDH_CONVERTER_LOOKUP[out_type]: data = TDH_CONVERTER_LOOKUP[out_type](data) diff --git a/data/yara/CAPE/HijackLoader.yar b/data/yara/CAPE/HijackLoader.yar new file mode 100644 index 00000000000..01d8cff22ee --- /dev/null +++ b/data/yara/CAPE/HijackLoader.yar @@ -0,0 +1,13 @@ +rule HijackLoaderStub +{ + meta: + author = "kevoreilly" + description = "HijackLoader Stub Executable" + cape_type = "HijackLoader Payload" + strings: + $stub1 = {50 83 C0 10 50 56 8D 85 [4] 50 E8 [4] 83 C7 30 8D 85 [4] 3B F8 74 08 8B 35 [4] EB D3} + $stub2 = {33 C5 89 45 ?? (C6 45 ?? 00|C7 45 ?? 61 7A 2D 2D) 8D 45 ?? FF 75 ?? C7 45 ?? 30 39 41 5A 50 8D 45 (??|?? C7 45 ?? 61 7A 2D 2D) 50 E8} + $app = "\\app-" wide + condition: + 2 of them +} diff --git a/utils/dist.py b/utils/dist.py index 5b9bb0b6fae..7ddf845a8c8 100644 --- a/utils/dist.py +++ b/utils/dist.py @@ -1450,7 +1450,7 @@ def submit_tasks(self, node_name, pend_tasks_num, options_like=False, force_push """ # 4. Apply the limit and execute the query. to_upload = db.scalars(stmt.limit(pend_tasks_num)).all() - + if not to_upload: db.commit() log.info("nothing to upload? How? o_O") diff --git a/web/guac/views.py b/web/guac/views.py index 2223a8c449f..e090e7aa7e0 100644 --- a/web/guac/views.py +++ b/web/guac/views.py @@ -35,37 +35,51 @@ def index(request, task_id, session_data): state = None recording_name = "" - conn = libvirt.open(machinery_dsn) - if conn: - try: - session_id, label, guest_ip = urlsafe_b64decode(session_data).decode("utf8").split("|") - recording_name = f"{task_id}_{session_id}" - dom = conn.lookupByName(label) - if dom: - state = dom.state(flags=0) - except Exception as e: - return render( - request, - "guac/error.html", - {"error_msg": f"{e}", "error": "remote session", "task_id": task_id}, - ) - - if state: - if state[0] == 1: - vmXml = dom.XMLDesc(0) - root = ET.fromstring(vmXml) - graphics = root.find('./devices/graphics[@type="vnc"]') - vncport = graphics.get("port") if graphics else None - return render( - request, - "guac/index.html", - { - "vncport": vncport, - "session_id": session_id, - "task_id": task_id, - "recording_name": recording_name, - "guest_ip": guest_ip, - }, - ) - else: - return render(request, "guac/wait.html", {"task_id": task_id}) + try: + conn = libvirt.open(machinery_dsn) + if conn: + try: + session_id, label, guest_ip = urlsafe_b64decode(session_data).decode("utf8").split("|") + recording_name = f"{task_id}_{session_id}" + dom = conn.lookupByName(label) + if dom: + state = dom.state(flags=0) + except Exception as e: + return render( + request, + "guac/error.html", + {"error_msg": f"{e}", "error": "remote session", "task_id": task_id}, + ) + + if state: + if state[0] == 1: + vmXml = dom.XMLDesc(0) + root = ET.fromstring(vmXml) + graphics = root.find('./devices/graphics[@type="vnc"]') + vncport = graphics.get("port") if graphics else None + return render( + request, + "guac/index.html", + { + "vncport": vncport, + "session_id": session_id, + "task_id": task_id, + "recording_name": recording_name, + "guest_ip": guest_ip, + }, + ) + else: + return render(request, "guac/wait.html", {"task_id": task_id}) + finally: + if conn: + try: + conn.close() + except Exception: + pass + + # Fallback return if something went wrong before rendering + return render( + request, + "guac/error.html", + {"error_msg": "Could not connect to hypervisor", "error": "remote session", "task_id": task_id}, + )